Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Groups/Roles Disappeared after configuring for LDAP

https://forum.openkm.com/viewtopic.php?t=7406

Page 1 of 1

Groups/Roles Disappeared after configuring for LDAP

PostPosted:Thu Jul 12, 2012 9:30 pm
by ChrisHobbs
I'm looking at using OpenKM as a replacement for an ancient DMS we have in our organization, and it looks like a great fit so far. I installed a fresh system this morning to put into practice what I've been learning, and started on the fresh build by adding LDAP access per the wiki. Authentication works great, and users that are in the AdminRole LDAP group get admin access, and users in the UserRole LDAP group get non-admin access. So far so good!

However, I can no longer manage Roles or assign Groups for security. If, for example, I delete the UserRole permissions for an item, when I go back into security for that item I see no Groups listed on the right side as available. Likewise, in the administration panels, I see no roles listed to filter my user list, and no roles listed when I go into the Roles link. I'm attaching screenshots that should make it clear what I'm describing. However, they clearly work as designed as I can log in with LDAP credentials and get the proper permissions based on my LDAP group membership.

I'm guessing I missed something in my LDAP settings, so here they are (munged slightly):
Code: Select all
principal.ldap.mail.attribute	String 	mail 
principal.ldap.mail.search.base	String 	ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us
principal.ldap.mail.search.filter	String 	(&(objectClass=InetOrgPerson)(cn={0}))
principal.ldap.referral	String 	follow
principal.ldap.role.attribute	String 	cn
principal.ldap.role.search.base	String 	ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us
principal.ldap.role.search.filter	String 	(objectClass=posixGroup) 
principal.ldap.roles.by.user.attribute	String 	cn 
principal.ldap.roles.by.user.search.base	String 	ou=Roles,ou=OpenKM,ou=ApplicationSupport,dc=nhusd,dc=k12,dc=ca,dc=us 
principal.ldap.roles.by.user.search.filter	String 	(memberID={0}) 
principal.ldap.security.credentials	String 	********
principal.ldap.security.principal	String 	cn=admin***** 
principal.ldap.server	String 	ldap://host.domain.com:389/ 
principal.ldap.user.attribute	String 	cn 
principal.ldap.user.search.base	String 	ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us 
principal.ldap.user.search.filter	String 	(objectClass=inetOrgPerson) 
principal.ldap.username.attribute	String 		Edit   Delete
principal.ldap.username.search.base	String 		Edit   Delete
principal.ldap.username.search.filter	String 		Edit   Delete
principal.ldap.users.by.role.attribute	String 	memberUid 
principal.ldap.users.by.role.search.base	String 	ou=Roles,ou=OpenKM,ou=ApplicationSupport,dc=nhusd,dc=k12,dc=ca,dc=us 
principal.ldap.users.by.role.search.filter	String 	(&(objectClass=posixGroup)(cn={0}))
Thanks in advance!

Chris

Re: Groups/Roles Disappeared after configuring for LDAP

PostPosted:Thu Jul 12, 2012 11:08 pm
by ChrisHobbs
principal.ldap.roles.by.user.search.filter String (memberID={0})
And of course, this should actually be:

principal.ldap.roles.by.user.search.filter String (memberUid={0})

That improved my User list, in that it now shows what role each user has. But the dropdown filter is still blank, and I can't assign security groups as described above.

Re: Groups/Roles Disappeared after configuring for LDAP

PostPosted:Sun Jul 15, 2012 8:31 am
by jllort
have you changed principalAdaptor to ldapPrincipalAdapter and then have restarted application ( restarting in this case is mandatory ).

After it you should concentrate in Administration view and step by step, first should be getting user list
Code: Select all
principal.ldap.user.attribute String cn
principal.ldap.user.search.base String ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us
principal.ldap.user.search.filter String (objectClass=inetOrgPerson)

Re: Groups/Roles Disappeared after configuring for LDAP

PostPosted:Mon Jul 16, 2012 8:02 pm
by ChrisHobbs
jllort wrote:have you changed principalAdaptor to ldapPrincipalAdapter and then have restarted application ( restarting in this case is mandatory ).

After it you should concentrate in Administration view and step by step, first should be getting user list
Thanks for replying jilort!

The adapter had been changed to com.openkm.principal.LdapPrincipalAdapter, and ldap users can log in. I also see all of them listed in the User list. I also see the Roles to which they are assigned in the list. However, the dropdown Role filter list is empty.

Re: Groups/Roles Disappeared after configuring for LDAP

PostPosted:Thu Jul 19, 2012 7:24 am
by jllort
Now you should concentrate in
Code: Select all
principal.ldap.role.attribute= cn
principal.ldap.role.search.base= ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us
principal.ldap.role.search.filter=(objectClass=posixGroup)
All roles are in this node or in several subnodes, if are in subnodes you should enable follow parameter.
Code: Select all
principal.ldap.referral=follow

Re: Groups/Roles Disappeared after configuring for LDAP

PostPosted:Fri Jul 20, 2012 4:53 pm
by ChrisHobbs
Many thanks for the hand-holding. I had pointed principal.ldap.role.search.base at my user container, not my role container. Changing it to the right spot has got me squared away!

Onward to configuration of a taxonomy for my users now :)
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited